Access Control
2 min read
Connected MCP Servers Access
MCP Hub access control is currently feature-flagged. Delegated MCP Server Admins and selected-space restrictions are available only when FEATURE_FLAG_ENABLE_MCP_ACCESS_CONTROL_UN_20854 is enabled for the tenant. Existing connector behavior is unchanged while the flag is disabled.
Delegated MCP Server Administration
It allows a tenant-wide connector admin assign specific users to manage a specific origin MCP server without granting full connector administration rights. Only users that hold either connectors.admin.read or space.admin.write can be assigned as MCP Server Admin.
An assigned MCP Server Admin can:
see the Connectors admin section
see only the MCP servers assigned to them in the admin
authenticate an assigned server when OAuth setup is still required
refresh tools, edit server metadata, configure tools, and enable or disable the assigned server
configure selected-space restrictions for the assigned server
An assigned MCP Server Admin cannot:
manage the server admin roster
delete MCP servers
view or modify unassigned MCP servers
Space Restrictions For MCP Servers
Selected-space restrictions let administrators limit an origin MCP server to specific Spaces.
When a connector is limited to selected spaces:
only selected spaces can see the connector during Space configuration
assignment paths check the allowlist before adding the connector to a Space
runtime tool exposure and tool calls are checked against the selected spaces
Clearing the restriction makes the connector available to all spaces again
Virtual Server Access
Virtual-server access is the more experimental part of the access-control model. It applies to published virtual servers, not to origin MCP server administration.
Connect | Manage |
|---|---|
Allows a user to connect an MCP client to a published virtual server and invoke its approved tools. | Allows an administrator to manage the virtual server lifecycle, tool selection, metadata, OAuth provider, and access list. |
Virtual servers also keep last-manager protection: a virtual server cannot be left without a manager. The last MANAGE holder is protected from removal.
Policy Layers
Layer | Control | What it prevents |
|---|---|---|
Infrastructure allowlist | Only approved origin URLs can be registered. The platform owns this first gate through URL pattern policy. | Unreviewed external MCP servers entering the catalog. |
Connector catalog | Administrators approve origins and enable tools organization-wide before they can be packaged. | Raw origin capabilities leaking directly into user workflows. |
Delegated connector administration | Specific users can administer assigned origin MCP servers without receiving tenant-wide connector administration rights. | Solution teams needing broad administrative privileges just to configure their own servers. |
Connector space allowlist | Origin MCP servers can be limited to selected Spaces/Assistants. | Connectors being assigned to or used by Spaces outside their intended audience. |
Virtual server tool set | Each endpoint exposes only selected tools. | Broad connector permissions being reused for every client. |
Publication state | Draft servers are not discoverable; unpublished servers stop external access. | Premature or stale endpoints staying available. |
Virtual-server access | Connect and manage access entries are enforced per virtual server. | Unauthorized users connecting to sensitive endpoints. |
Downstream identity | Tool calls use the end user's downstream OAuth credentials. | Shared accounts and cross-user credential leakage. |
Recommended Rules
Assign MCP Server Admins only for the connectors they own operationally.
Use selected-space restrictions when a connector should be available only to specific assistants or teams.
Create separate virtual servers for different risk profiles instead of one broad endpoint.
Use read-only tools for pilots and proof-of-value deployments.
Keep destructive or externally visible actions in dedicated endpoints with smaller access lists.
Unpublish endpoints immediately when ownership, scope, or downstream systems change.
Document the intended audience and prohibited use cases in the virtual server description.